Gartner Recommends Against Microsoft IIS

This site may earn affiliate commissions from the links on this page. Terms of use.

Companies that were hit by both the Code Red and Nimda worms should quit using Microsoft’s Internet Information Server immediately, says Gartner’s research director for Internet security, John Pescatore.

“Code Red had so much publicity. Dan Rather was talking about it. It had to be a wake up call,” for business owners and system administrators, says Pescatore. “If you got hit by Nimda, you’ve proven you can’t keep up with the security problems of IIS. It’s like a car: Don’t buy a Fiat unless you are prepared to get it fixed a lot.”

Gartner, one of the best-known high tech consulting firms, seldom advises its clients to steer clear of specific software.

The firm’s recommendation is the latest in a string of hits IIS has taken on the security front. This summer, J.S. Wurzler Underwriting Managers began charging up to 15 percent more in premiums to clients that use IIS. Wurzler’s decision was made before the Code Red worm  which feasted on IIS’s vulnerabilities  caused some $2 billion in damage. Wurzler is also charging higher premiums to clients who use NT. The underwriter, who relies on London syndicates for coverage, based the decision on security surveys that it has done on more than 400 companies.

Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software. That turnover may mean that security patches don’t get installed, said the company’s CEO and founder, John Wurzler. If companies are able to prove that their administrators are following best practices and have installed all up-to-date patches on their NT and IIS machines, they can get discounts on their premiums.

“Our sense is this is an extreme recommendation that would require customers to make a more costly alternative and ignores the fact that security is an industry-wide issue that affects all platforms,” said Microsoft spokesman Jim Desler. “IIS is as secure our competitors’ server software and the real issue is how a company supports and responds to vulnerabilities and viruses and worms.” Desler added that companies who have installed all the recommended patches — available at no charge on Microsoft’s Web site  were not hurt by Nimda.

The Nimda worm can spread through e-mail, file sharing and Web site downloads. The worm bundles several well-publicized exploits against IIS, as well as Microsoft’s Internet Explorer browser and operating systems such as Windows 2000 and Windows XP, which have IIS embedded in their code.

Pescatore said a key problem for IIS is that much of its source code is three years old. And he has been concerned about the software’s vulnerability for months. “When the Code Red worm came out, we did a research note that said enterprises had better realize that IIS has a high total cost of ownership.”

Despite the worms and the issues raised by Gartner and Wurzler, no insurance brokers or carriers have said they will change their approach to IIS.

Tracey Vispoli, cyber solutions manager at Chubb, a large insurance carrier, said that her company includes software platforms among several factors when it sets premiums for insurance coverage. Even if a company using IIS got hit by the Code Red and Nimda worms, “It’s still a risk that Chubb would take if the company can show they have technology and security in place. We look at their philosophy toward security,” she said.

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Email

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our
Terms of Use and
Privacy Policy. You may unsubscribe from the newsletter at any time.